Gitorious v2.4.10 has been released

 

As a refreshing change from the security-related versions of Gitorious over the last weeks, we’re glad to announce that version 2.4.10 of Gitorious was just released. This release contains fixes several bugs in Gitorious, among these:

  • Fix broken pushes with sync messaging adapter
  • Fix layout for global system message
  • Fix mass-assignment related bugs
  • Include repositories in Project XML output
  • Fix broken User avatar upload
  • Finally fix the double merge request versions
  • Make bin/bundle work when bundle needs update(s)

Furthermore, you may place global git hooks on a location specified in gitorious.yml.

The steps for upgrading are, as usual:

  • git fetch origin
  • git merge v2.4.10
  • git submodule update
  • bundle install
  • touch tmp/restart.txt (assuming you’re using Passenger. For non-Passenger deployments, restart your application server like you normally do)

Happy upgrades!

Gitorious went down this morning

Our frontend web server went down at 6:24CET this morning, we will be updating this post as we bring the server back up. Here’s what we know right now:

  • At 6:24 CET a Kernel oops occured. The alarms at our hosting provider went off, and the server was booted. 
  • Since the file system keeping the repositories hasn’t had a full consistency check since August 2012 a fsck was started
  • When fsck hadn’t completed at 8:00 CET, the server was routinely rebooted, and another fsck process was started at 8:04 CET
  • The last time we ran a full fsck on the file system, it took about 2.5 hours. Since then, however, we have installed dedicated storage for our servers, and this has higher IO capacity than the one we were running from in August last year.
  • 10:06 CET: The server is back up. We will upgrade the kernel and do another reboot, hopefully the kernel issue we encountered earlier today has been resolved. Expect a few minutes downtime in a few minutes
  • 10:13 CET: All systems are running again, with an updated kernel

Improved and updated the Gitorious CE Installer (v2.4.9)

We’ve closed a number of recent security issues related to Ruby and Rails (which Gitorious depends on). The Community Edition Installer has lagged behind a bit but is, as of today, upgraded to install the latest version of Gitorious (v2.4.9). The update also includes our current recommended default settings plus some improvements to the installer itself.

Short story: following the steps outlined at http://getgitorious.com/installer on a fresh CentOS 6 server will ensure that you end up with the latest version of Gitorious installed.

Already running on an older version of Gitorious and need to upgrade? Follow the standard installation procedure outlined here.

Please let us know if you run into any issues with the installer: the Gitorious team can be reached at support@gitorious.org

Changelog for the installer:

Update to Gitorious v2.4.9 & improve installer

Brings the installer up to Gitorious v2.4.9, uses the current most
sensible default settings for that version, fixes recent Rails and
Ruby-related security issues and improves the installer itself.

Breakdown:

- Using resque instead of ActiveMq

- Using nginx+unicorn instead of apache+passenger

- Use latest version of Gitorious

- Includes fixes for recent Ruby/Rails security issues

- Using thinking sphinx instead of ultrasphinx

- Installer no longer nukes existing Ruby/Rubygems

- Installer logs puppet operations

- More robust puppet apply operation

- Truly random generated db/rails passwords

- Only create random db password on first run

- Remove unneeded git proxy, use git daemon directly

2.4.9 fixes regression in 2.4.8

I inadvertently broke creating new projects with yesterday’s 2.4.8 release. I have deployed a fix on gitorious.org, and just tagged 2.4.9. 2.4.9 also addresses a bug in Gitorious’ log graph visualization.

We made some sweeping changes yesterday, by changing attr_protected (which was the recent target of a Rails vulnerability) to attr_accessible – basically changing from black-listing to white-listing in what parameters can be posted to Gitorious and set on DB-backed models. It seems that one case was not covered by automatic tests, and was not discovered immediately.

Sorry for the inconvenience.

To upgrade your Gitorious, follow the regular procedure:

* git fetch origin
* git merge v2.4.9
* git submodule update
* bin/bundle install
* bin/rake assets:clear
* touch tmp/restart.txt (assuming you’re using Passenger. For non-Passenger deployments, restart your application server like you normally do)

Gitorious v2.4.8 is released

Three new vulnerabilities have been fixed for Ruby on Rails, on which Gitorious is built. Read the original announcements for further details. All users running their own Gitorious servers should upgrade immediately.

The steps for upgrading are, as usual:

  • git fetch origin
  • git merge v2.4.8
  • git submodule update
  • bundle install
  • touch tmp/restart.txt (assuming you’re using Passenger. For non-Passenger deployments, restart your application server like you normally do)

If you’re running on the next branch, that has been updated as well. Just pull from mainline, then restart your server, and you’re all set.

You will note that the advisory and the v2.4.8 tag were both signed with our PGP key, as part of the Security Policy described at our security page. By signing release tags and security advisories you can verify that these were in fact issued by the Gitorious team.

Gitorious v2.4.7 was just released

This morning we discovered a vulnerability in Gitorious which made us write this advisory on our mailing list and release version 2.4.7 of Gitorious. All users running their own Gitorious servers should upgrade immediately.

The steps for upgrading are, as usual:

  • git fetch origin
  • git merge v2.4.7
  • git submodule update
  • bundle install
  • touch tmp/restart.txt (assuming you’re using Passenger. For non-Passenger deployments, restart your application server like you normally do)

If you’re running on the next branch, that has been updated as well. Just pull from mainline, then restart your server, and you’re all set.

You will note that the advisory and the v2.4.7 tag were both signed with our PGP key, as part of the Security Policy described at our security page. By signing release tags and security advisories you can verify that these were in fact issued by the Gitorious team.

Gitorious 2.4.6 has been released

Gitorious 2.4.6 has just been released, and all Gitorious servers should be updated immediately. This release brings Gitorious up to Rails version 2.3.16, which solves a severe vulnerability in Ruby on Rails. There’s more information about this vulnerability on the Ruby on Rails security mailing list. This release also fixes the less severe CVE-0155 from two weeks ago.

To upgrade to this version, follow one of the three following alternative fixes

If you’re running from a release in the 2.4 branch of Gitorious:

To upgrade a server running one of the releases in the 2.4 series of Gitorious, follow these steps:

  • git fetch origin
  • git merge v2.4.6
  • bundle install
  • touch tmp/restart.txt (assuming you’re using Passenger. For non-Passenger deployments, restart your application server like you normally do)

If you’re running from the next branch of Gitorious (Rails 3)

Guess what, you’re off the hook. This vulnerability does not affect Rails 3.2, which Gitorious 3 is built on.

If you’re running neither of the versions above:

If your server is not running from a version that can be upgraded, you can secure your server by following these manual steps

  • create the file config/initializers/fix_cve_2013_0333.rb inside your Gitorious installation with this content:
ActiveSupport::JSON.backend = "JSONGem"
  • restart your application server

Gitorious 2.4.5 has been released

Gitorious 2.4.5 has just been released, and all Gitorious servers should be updated immediately. This release brings Gitorious up to Rails version 2.3.15, which solves a severe vulnerability in Ruby on Rails. There’s more information about this vulnerability on the Ruby on Rails security mailing list.

To upgrade to this version, follow one of the three following alternative fixes

If you’re running from a release in the 2.4 branch of Gitorious:

To upgrade a server running one of the releases in the 2.4 series of Gitorious, follow these steps:

  • git fetch origin 
  • git merge v2.4.5
  • bundle install
  • touch tmp/restart.txt (assuming you’re using Passenger. For non-Passenger deployments, restart your application server like you normally do)

If you’re running from the next branch of Gitorious (Rails 3):

The next branch of Gitorious has also been upgraded. For servers running from the next branch you should:

  • git pull git://gitorious.org/gitorious/mainline.git next
  • bundle install
  • restart you application server

If you’re running neither of the versions above:

If your server is not running from a version that can be upgraded, you can secure your server by following these manual steps

  • create the file config/initializers/fix_cve_2013_0156.rb inside your Gitorious installation with this content:
ActionController::Base.param_parsers.delete(Mime::XML)
  • restart your application server

Gitorious 3.0 lands in the next branch

After a few months of hard work, we just merged the Rails 3 feature branch into the next branch in the Gitorious mainline repository.

The major new feature in this branch is that Gitorious now uses Rails 3. This required quite a few changes to Gitorious, which was bound to introduce some non-backwards-compatible changes. We took the opportunity to deal with a few other long pending issues, and we’re really happy with the way this turned out.

The major changes you will have to deal with while upgrading are as follows:

  • Upgrade your gitorious.yml. Quite a few of the settings in this file have been renamed for consistency, and gitorious.yml now also supports “global” settings shared between the various Rails environments.
  • Stomp is no longer supported for messaging. A lot of users have been having trouble getting a Stomp server running reliably, and the scripts we used for consuming messages off the message queue would leak memory, causing all kinds of problems. gitorious.org has been running with the new setup (Resque/Redis) without any issues for a month now, and this is the only supported asynchronous message queue in Gitorious 3.0. To start using Resque simply install Redis, which is available in the repositories for all major distributions.
  • Replace the database driver defined in config/database.yml on your server with “mysql2″.
  • You should consider upgrading your Ruby version to 1.9.3, although Gitorious 3 will still work with Ruby 1.8.7. Upgrading to 1.9.3 will give significant speed improvements, and 1.8.7 will only be supported for a limited period of time. If your distributions has 1.9.3 in the repositories you should be able to install it from there.

There’s a recipe for upgrading to Gitorious 3 in the doc/ directory in the mainline repository, and a script in bin/upgrade-gitorious3-config to migrate your gitorious.yml file to the new format.

What happens next?

We just completed the first step in the migration, which is merging it into the next branch in the mainline repository. New features will be created on this branch, and only critical patches will be backported to the 2.x-stable branch.

We plan to start migrating gitorious.org to 3.0 next week and will release 3.0.0 within a week or two. Although we’re not aware of any open issues in the current next branch, we will respond quickly to any issues reported from users running this branch on their servers. We have been running this branch on our internal (aka. dogfood) server for a long time without any major issues.

By running from the next branch of Gitorious, upgrading to the final version will be a matter of pulling and merging the 3.0.0. tag once that’s released. You’ll be reaping the benefits of a faster, simpler Gitorious installation and quick response to any issues you’re having from the Gitorious team.

While helping us finalize Gitorious 3.0, you will probably find a place or two where the UI contains escaped HTML code; this is due to Rails 3 by default escaping HTML to prevent XSS situations. These issues are easy to fix, but can be hard to find without extensive use of the UI.

Gitorious 2.4.4 was just released

Since switching to the git-flow model for management of the branches in Gitorious mainline, new features don’t appear in master except in the form of new versions. This means that a few new versions have been released (and deployed to gitorious.org) which haven’t been annouced here.

We just pushed version 2.4.4 of Gitorious, the fourth patch version in the 2.4 series. There are no new features in this version, just a few bug fixes.

As usual, the Upgrading page on the wiki has the instructions for how to upgrade your server.

Follow

Get every new post delivered to your Inbox.

Join 716 other followers